4hazardsAccording to a PriceWaterhouseCoopers (PWC) eBook on Security for Social Networking, threats to the corporate network have escalated as the use of social media has soared. In the following we aim to present you with the most important insights from the eBook.

Social networking is normal in today’s workplace. At any given moment, on-the-job employees are updating Facebook statuses, reading Twitter feeds, and networking on LinkedIn. Some may even be using social networking for legitimate business purposes. Businesses have embraced social networking to strengthen collaboration and productivity by allowing easy access to the knowledge of co-workers. Outside of the workplace, social networking can help an organization attract and engage customers, improve the customer experience, and manage its brand image.

A survey by the Ponemon Institute found that 52% of organizations have reported an increase in malware attacks over the past year due to employee use of social media in the workplace, and that one in three (29%) security breaches result from malware coming through social. Risks associated with social media are not limited to malware, however. Cyber criminals can mine networks to obtain valuable information from employees, steal intellectual property, highjack a website or social media account, and damage a company’s reputation. Employees may unwittingly reveal proprietary corporate information or highly regulated data.

Why social media may be hazardous to the corporate network

Before digital social networking, social-engineering culprits were called confidence or “con” men. They typically committed fraud through human interactions, a technique that was limited by the number of people they could reach. Today’s social engineers have gone digital. Phishing is an effective vector of attack, particularly when used in conjunction with social media, enabling criminals to reach thousands of potential fraud victims.

Another danger, particularly for Twitter users, is the use of abbreviated URLs. URL-shortening services from sites such as Bit.ly and is.gd obscure the destination of the link from the user, creating a particularly effective tool for cyber criminals. Indeed, Symantec reported that, during one three-month period, 65% of malicious URLs found on social networks were hiding behind shortened URLs.

Another way to uncover user account information is the use of data-mining scripts that “scrape” information from social networking sites. Many people use the same log-in information for multiple social media accounts, and this information is tempting and potentially profitable to criminals.

Not all information leaks result from the efforts of criminals, however. Employees themselves may voluntarily disclose critical business information and intellectual property. Use of location-based social networking apps also can unintentionally provide information that can be exploited by competitors. For instance, an employee who broadcasts his or her whereabouts by “checking in” to locations might compromise an acquisition if the employee repeatedly checks into the target company’s location during negotiations.

In addition to personal and business information, data leakage also can violate confidentiality mandates. There are numerous cases in which a healthcare employee posted information about a patient’s medical records on social media, a clear violation of the Health Insurance Portability and Accountability Act.

How businesses can balance security and social networking

To reap the benefits of social media – and avoid the potential threats – businesses should embrace social networking and implement a proactive strategy to safeguard corporate networks and data. It is critical that the security strategy be backed by rigorous and continuous employee awareness and training.

According to PWC a social media strategy should be two-pronged: It should set forth policies and procedures that govern the use of social networks and corporate information, and it must back up those policies with technology that protects the safety and integrity of data and the corporate network.

An effective approach requires that the business and technology sides of the company are united and fully committed to a social networking security strategy. The two must analyze content and policies in detail, as well as determine the right mix of enterprise technologies to monitor, classify, and manage data. It is essential that the business classifies data, so that employees understand precisely what is – and is not – sensitive information. This process should specifically delineate how employees may use sensitive data, as well as define who is authorized to access and share corporate content.

The policy also must clarify the types of social networking accounts the company sponsors. For instance, the business should ensure that employees understand the difference between a company-sponsored Twitter or Facebook account and individual company accounts run by a person or team. Everyone must know that these corporate accounts are very different from an employee’s personal account.

What’s more, the business must clearly specify who is responsible for particular types of communications using social media, typically determined within the marketing and customer service departments. The company also should establish management oversight for social media, designating both a chief strategist and a community manager, for instance.

The security policy also should specify whether employees may access social networking sites from corporate-owned devices such as smart phones and tablets, and which apps may be used to access social media. Enforcement mechanisms will be required as well to ensure that policies are followed.

No strategy is complete without a remediation plan. Thus, the business should plan how it will manage reputational damage and respond to critical online commentary. Social networking can instantly create buzz as well a blizzard of negative publicity, so the strategy should include a game plan to quickly evaluate the situation and act appropriately and swiftly.

Establishing social media policies is only the beginning: The real work lies in getting employees to make behavioral changes. The success of any social networking security program will hinge upon thorough and continuous education of the workforce. It is critical that businesses fully detail the consequences of noncompliance with social media policies. Policies should state that employee use of social media might violate the corporate code of conduct for privacy, client confidentiality and intellectual property. Be clear: Jobs are at risk.

Why technology is essential to an effective security strategy

Strong policies and awareness programs can be reinforced with appropriate technology enforcement and monitoring solutions that protect against malware, data leakage, and other suspicious activity. Possible strategies include multilayered security at the gateway and the end points, content classification, content filtering, data loss prevention (DLP), and mobile device management (MDM) solutions. Identifying the right combination of these security tools can be a daunting challenge because Web 2.0 technology is freewheeling and constantly evolving.

Effective security for social networking must leverage both decentralized and centralized modes of IT security. In other words, the business must protect both the network and the end points. Risks also exist outside the enterprise, and many businesses will want to protect their brands and strengthen customer service and marketing initiatives by actively monitoring social-digital conversations. The business must decide what media should be monitored and revisit that policy periodically. It is important to note that, in some cases, risks could escalate into legal issues; counsel, therefore, should have input into monitoring strategies.

What this means for your business

As risks associated with social networking escalate, businesses must take extraordinary care to craft an integrated security strategy that balances employee education with sophisticated network monitoring and data protection technology. This initiative will require a united partnership between the business and information technology groups.

PwC believes businesses must approach social networking with equal measures of opportunity, caution, and careful planning. The activities, risks, and technologies associated with social networking are constantly evolving as the types of social media sites and applications proliferate. It is essential that the business develop a life-cycle strategy that can address current needs and quickly adapt to changes in the social networking landscape. (Source: www.pwc.com / Security for Social Networking)

By Hiba Assi